Blockchain technologies can drive better security solutions by providing a trust layer between the blockchain and the physical world. Hardware-based security devices can help solve problems like securing user key management and addressing weaknesses in randomness and side-channel attacks. Ledger Technology has developed multiple secure hardware devices of varying tamper resistance that integrate with blockchains in a user-friendly and developer-friendly way.

1. Blockchain technologies
drive better security solutions
Journée Blockchain SIF
November 2016
Nicolas Bacca
@btchip

2. A trust layer between the blockchain
and the physical world
For industrials, enterprises and consumers
Securing the first and last mile
LEDGER TECHNOLOGY

3. Without trust, data has no actionable value
node
node
node
node
nodeCloud servers
User on a PC or a
smartphone Industrial
sensor / IoT
node
node node
Connected
object
Blockchain/IT
trusted zone
Physical world
absence of trust
Is this really you?
Am I allowed to executethis transaction?
Critical temperature data
Did the driver got switched?

4. Why ? Cryptocurrencies come with built-in bug bounties
#SFYL
CO 2.0

5. The DAO timeline
The
DAO
The
DAO
Black
DAO
The
DAO
Black
DAO
White
DAO
The
DAO
Black
DAO
White
DAO
DAO
refund
ETH
ETC
ETH
Creation of a
new currency
Hacker exit

6. Security improvements
Aligned with the latest identity standards
Reducing dependencies on non deterministic events (randomness …)
Solving the user keyring problem
Innovating with internet-ready security devices

7. The password is dead

8. How can it be replaced ?
Hardware based cryptographic authentication for the webs
FIDO set of standards
Minimalist cryptography (one size fits all)
Multilple vendors
Slow but large traction (Google, Github)
The building block of modern security devices

9. The problems with randomness
Hard (impossible) to fully get rid of randomness
Generating unbiased randomness is a hard problem
Proving that randomness is unbiased is an even harder problem
Modern cryptographic algorithms are brittle, making it an easy attack vector

10. Attacks of the Five Eyes
No evil, omnipotent wizards
Have a lot of time
Have a lot of resources (crunching weak randoms is easy, see Logjam)
Can interfere with standards (see DUAL_EC_DRBG)
Attacks on randomness provides good plausible deniability

11. Blockchain technologies solutions to randomness
Recognize the problem : make it easier to evaluate
Only depend on it when it’s absolutely necessary (key generation)
Promote deterministic signatures (ECDSA / RFC 6979)
Avoid catastrophic algorithm failure on signature (see PS3 27C3)

12. The silent killer : side channel attacks
An unfortunate side effect of non deterministic code
Predict code parameters (such as private keys) given external events
Extremely powerful and not taken care of enough (see “CSI meets public wifi”)
Important work being done by the community on Bitcoin curve with libsecp256k1

13. The user keyring problem
Too many keys, too many protocols
Hard to backup (additional weakness / hard to remember)
Too many devices

14. Solving the user keyring
Deriving keys from a master key (BIP 32, Hierarchical Deterministic Wallets)
Using a nice property of Elliptic Curve keys
Public(PrivateK + (%n)Scalar) = PublicK + (point)Scalar * Generator
Can be extended/abused to RSA (find next prime …)
Providing an easy way to remember the master key (BIP 39, Mnemonic Phrase)
Turning entropy into words, not the other way round (see Brainflyer)

15. Why the Smartcard has to be reinvented
Not web-ready : designed to work in a trusted environment
Not user friendly (reader, drivers, middlewares)
Not developer friendly (Java Card if lucky)
Not customer audit friendly

16. Challenges of improving the Smartcard
Tamper
resistant
Developer friendly Auditable

17. What has been accomplished so far
Multiple devices with different tamper resistance properties
Web integration, reusing FIDO work on U2F (Ledger with MyEtherWallet)
Web ready : malware resistant
<Ad> New paradigms for native multi application platforms </Ad>

18. The exhaustive list of Blockchain security standards
<- (is not a security standard)

19. Blockchain security ...
Moves at startup speed (ETH from EAL0 to EAL7 in 6 months, according to ETH)
Is battlefield tested (or assets are lost very quickly)
Bitcoin is a pretty good canary (see “Some SecureRandom thoughts” on Android)
Is interesting to look at for the general security / identity industry
On the other hand can also learn a lot from those industries wrt testing / evaluation

20. Thank you
@btchip
https://www.chaintech.fr/